Key takeaways
Security and access are inversely related. The simplest way to make your CRM database more secure is to restrict access because wider access means easier exploitation. Remote work and decentralized work forces, then, present major challenges for cybersecurity efforts.
Not all business data is sensitive. But most of what is found in a CRM database is absolutely sensitive information. How can companies maintain security and data privacy, while still benefiting from both CRM tools and generous work-from-home policies?
Whether you’re a CRM user, a manager, or a member of IT staff, every stakeholder can influence CRM cybersecurity, for better or worse. This article should help push things toward the “better” category, with advice aimed at every level of CRM access.
CRM user access privileges: The CRM work-from-home crew
(Almost) Anywhere operations
Some worst-case scenarios only really become possible when working remote: having your laptop stolen, someone logging in and stealing customer info while you’re not present, hackers snooping over an unsecured network, etc. These are things your IT crew can’t do much about, but you can.
Bottom line: trust no one. “Zero trust” is a standard for cybersecurity, but the same should be true for users. Here are a few tips to get you started:
- Lock your computer when you step away
- Don’t leave it unattended in public places
- Avoid public access wifi unless you have a VPN handy
- Guard against peeking like it’s high-stakes poker
ALSO READ: 6 Ways to Improve Your Social CRM Database
Offline still has risks
Don’t assume that going offline is automatically safer; it’s not. Data can also be vulnerable when it’s “at rest,” not just when it’s traveling across the network.
Sure, having access even when you don’t have a connection can be handy (sometimes wifi and mobile data can be hard to come by). But a local safe file is like a briefcase full of money—it’s only secure if it stays in your possession. If the device falls into the wrong hands, so does all of that sensitive customer information, and it’s worth a lot more than the laptop.
If internet access is required, then even once the device is unlocked, the thief has to find a way to log into your CRM database, providing another layer of protection.
Mobile madness
Similar to offline mode, mobile apps are another dangerous attack vector should your device fall into the wrong hands. That doesn’t mean that mobile companion apps are a dealbreaker, but they deserve close scrutiny. Even if they feature robust security, it’s on you to make sure your phone itself doesn’t serve as a convenient backdoor.
Strong passwords and a close watch on your device are both critical to maintaining the privacy of customer data. Public wifi, as always, is to be treated as a den of vipers. And of course, watch out for malware.
Careless whispers
Like any good spy thriller, the weakest part of any security system is the “wetware”—i.e., the flesh-and-blood components. Exploiting you as a valid CRM user makes gaining access to customer info a lot easier. Here are a few ways a hacker might do that:
- Guessing your simple passwords
- Reading passwords you wrote down on paper
- Convincing you to open/click on/download malicious links/files/etc.
- Fooling you into sharing sensitive information with a “trusted source”
- Exploiting flaws in old software which isn’t updated
In the end, your device, login info, customer data, and so on, should all be guarded as if they were a credit card in your name. Wherever and however you work, be safe. Follow the best practices you get from your IT team, and don’t assume anyone is who they say they are (by text, email, or otherwise) unless you have a way to verify it.
ALSO READ: CRM vs Marketing Automation: How are they Different?
CRM moderator access privileges: Management staff
Supervisors, team leads, directors, and execs—each of these tend to have additional functionality available to them when using CRM software. Even those without a technical background will usually have elevated access levels when they use the software.
These “mods” use the increased privileges to do things like:
- Create, modify, and delete user accounts
- Access customer data, staff files, and other digital assets across the system
- Pull records and create reports about CRM-wide trends
In other words, users have keys. Mods have “master keys.” That means that this access level requires safe user habits (see above) plus safe moderator habits.
Anyone who doesn’t need expanded access, should not have expanded access.
Due diligence and compliance concerns
Solid cybersecurity for any system starts with some universal basics—and a CRM database is no different. Rules, policies, and regulations serve as the foundation (often achieved via a cybersecurity framework), and decisions about tactics and tools are guided by those principles.
HIPPA is a good example. Healthcare teams using patient management software (i.e. CRMs for medical professionals) have to vet their vendor options by comparing their security and privacy features to HIPPA regulations. It’s a simple way to screen out high-risk candidates.
This is where management teams come in. Often, it’s not the users or the IT staff making the final decision regarding a CRM SaaS tool. It’s someone in charge of the budget.
If that’s you, the granular information about the technology may be outside your expertise, which isn’t a bad thing. But it does mean that you’re responsible for managing threats and risks you don’t fully understand. This includes your internal system and staff, and the CRM vendor you choose.
For both, you’ll need to confer with your tech experts and compare notes to be sure you’re properly addressing vulnerabilities you can’t always see on your own.
Trusted vendors
Vendors aren’t always upfront about their vulnerabilities and exposures. They may even falsely present themselves as bastions of data privacy. And even your seasoned InfoSec experts aren’t psychic. As a result, vetting vendors can be a difficult process.
Should your IT or I&O staff not have the means or resources to evaluate the dozen CRMs on your shortlist, you’re not out of luck yet. 3rd-party vendor risk assessments are available from independent security outfits, giving you a way to gain those insights without overburdening your staff.
If your organization hasn’t adopted a cybersecurity framework yet, getting an independent assessment provides a way to benchmark a vendor’s security level despite having an established standard to use internally.
Vendor risks, especially with the sensitive nature of the information stored in a CRM tool, are not to be taken lightly. The wrong CRM tool can lead to catastrophic security issues.
Blind leading the blind
Even with a well-secured CRM database, there are likely still holes in your internal team. Humans tend to be pretty fallible, but cybersecurity solutions can help safeguard against user error. I&O teams can work to prevent and respond to incidents, but most major breaches are the result of human error or oversight.
This means a great deal of the system’s security depends on how well you’ve taught your team to avoid risky behavior.
Like factory safety, food handling policies, and HIPPA methods, the rules and best practices are there for protection, even if their importance is based on expertise that most employees don’t have. Employees don’t need to know how a Man-in-the-Middle attack works to understand that using public wifi carries a high risk factor.
A policy such as “Use only secure wifi for remote work, or working in office will be required” should get the point across to even the least tech-savvy members of your team.
Above all else, model the security habits you want your team to have. “Do as I say, not as I do” is a bad parental strategy, and an even worse business leadership.
CRM database admin root privileges: IT, InfoSec, and I&O teams
Finally, we reach the root of the issue. Root privileges, that is.
Tech teams are in the unfavorable position of trying to deliver expected functionality to users and managers while knowing exactly what’s at stake whenever one of them uses “password” as their password.
By no means should the whole burden rest on their shoulders, but most non-tech staff won’t understand details like “storing login credentials in plaintext,” so it’s these experts who need to raise the red flags that others can’t see.
Data dilemmas
Data, specifically PII (Personally Identifying Information) functions like Marvel’s Infinity Stones. Useful, powerful, in some cases critical to accomplishing the task at hand. But disastrous when acquired by those with malicious intent.
CRM databases, like nearly every cloud-enabled software tool, must reckon with three areas of data vulnerability: transmission, storage, and disposal. Thus, any potential CRM vendor needs to adequately address those three attack vectors, and answer questions like:
- How do you protect data at rest? Is it encrypted? Is it stored on private servers? Is access monitored and recorded?
- What protects the data during use? How is it transmitted between the client and the server? How are user credentials verified to prevent unauthorized access?
- When data-bearing assets are erased, what safeguards prevent unauthorized recovery? How do you handle data from a canceled account? Will we have a transparent view into processes that affect our data?
We’re mentioning this because of your peers in the above user categories, who likely won’t understand the tech jargon. For one, if you teach them the questions to ask, they may be able to do some of the digging for you. A nominal understanding will help when you tell them why a given vendor is a no-go.
Identity crises
If the term “zero trust” rings a bell, you’re likely familiar with the issue of access/identity management. You should demand the same stringent security efforts from any CRM vendor your team asks you to investigate.
How the CRM tool handles user credentials is important. Everything from how those credentials are stored, to when logins are required, is vital to the security of your customer and employee data. Beyond that, look for additional flexibility to customize authentication functionality to meet your specific use case.
Don’t accept cookie cutter responses.
Calling in backup
Don’t be afraid to suggest outsourcing some of the risk assessment process. IT services are outsourced all the time, vendor risk assessments included.
Like any IT service, it’s an investment, and that may be a bit of a hard sell to those who manage the budget. If so, point to the potential cost of omitting the assessments and trusting an unsecure CRM vendor. Surplus security is always preferable to a preventable loss.
Making the right choice
CRMs can be great for improved efficiencies and better customer experience. But they’re also another gold vault to protect, so the selection and usage of a CRM should be done with care. And no single employee or department can protect a system on their own.
Cybersecurity is a team effort, and as the business world becomes increasingly digital-dependent, the importance of solid security practices increases with it.
It’s not always convenient, but the more seriously we treat security efforts, the safer everyone using the internet will be.
Looking for the latest in CRM solutions? Check out our CRM Software Buyer’s Guide.